RESTful身份验证 - 在高负载下导致性能不佳？ [英] RESTful authentication - resulting poor performance on high load?

问题描述

对于RESTful Web服务，我们说服务器不应该存储任何状态。现在，对于每个请求，用户必须经过身份验证，并且必须拥有他/她希望执行的操作的授权。

For a RESTful web service we say that that the server shouldn't store any state. Now for every request the 'user' must be authenticated and must have an authorization for the action(s) he/she wishes to carry out.

现在每个请求都包含该用户的授权数据。以下是我的困惑：

Now every request will contain authorization data for that user. Here are my confusions:

假设主页上有登录名和密码字段。用户输入用户名/密码，该用户名/密码被发送回服务器，用户验证然后返回某个令牌。现在，每个请求都会将此令牌发送到服务器。问题：

Assuming there is a login and password field on the home-page. The user enters the username/password which is sent back to the server, user verified and then 'some token' is returned. Now this token is sent to the server on every request. Question(s):

• 后端数据库是否需要一个单独的表来存储这些由用户名索引的
  令牌？ / li>
  
• 假设令牌存储在数据库中，那么每个请求都需要进行数据库调用。这是否会导致数据库服务器在高负载时成为瓶颈？


• 如果令牌没有真正存储在数据库中，那么存储它的最佳'宁静'位置是什么？


• 会话可能不是很安静，但后来我看不清楚认证/授权如何扩大（如上所述）？


• 如果它不是令牌，则需要将用户名/密码发回 - 正来呢？ （听起来不错：）

• Does the backend DB need to have a separate table to store these tokens indexed by username?
• Assuming the token is stored in a DB then every request needs to make a DB call. Doesn't that make the DB server a bottleneck in times of high load?
• If the token is not really stored in the DB what is the best 'restful' place of storing it?
• Having sessions is probably NOT restful, but then I fail to see how restful authentication/authorization scale up (w.r.t. the above points)?
• If it's NOT a token then does the username/password be need to be sent back-n-forth? (sounds like a bad idea :)

我可能误解了RESTful身份验证/授权的概念。但实际情况是，对于每个http请求，服务需要访问数据库以验证凭据吗？有什么东西可以简化这个过程并仍然坚持宁静的原则吗？我可以想到有一个存储细节的缓存，并且在服务器重启的情况下，它只是让数据库之旅。这只是一个可能使系统复杂化的性能优势（可能值得，不知道）。这是唯一的解决方案吗？

I may be misunderstanding the concept of RESTful authentication/authorization. But is this really the case that for every http request the 'service' needs to make a trip to the DB to verify the credentials? Is there something that can shortcut the process and still hold true to restful principles? I could think of having a cache that stores the details and in case of server-restart it just makes the trip to the DB. That is just a performance benefit that could complicate the system (maybe worth it, don't know). Is this the only solution?

所以从REST的理论/概念角度（不是必要的实现）如何处理这个问题（如果它是一个问题）？你的专业经验如何处理这个问题以及Restful是如何处理的？

So from a theoretical/conceptual standpoint of REST (not necessary implementation) how is this issue handled (if at all it is an issue)? How have you in your professional experience handled this issue and how Restful was the approach?

我们正在研究Restlet + J2EE + MySQL Restful Web服务我有这个问题弹出但没有令人满意的答案（谷歌，Stackoverflow等）我知道HTTP的基本和摘要授权，但我不熟悉存储/检索的内部结构，如上所述。

We are working on a Restlet+J2EE+MySQL Restful web service and I had this question pop up but no satisfactory answers (Google, Stackoverflow etc.,) I'm aware of HTTP's Basic and Digest authorization, but I'm not familiar with the internals of storage/retrieval as per the above explanation.

推荐答案

REST的精神是无国籍。这并不意味着客户端状态不能被服务持久化，但实际上它确实意味着服务器的客户端状态保存在内存中通常是一件坏事。

The spirit of REST is statelessness. This does not mean that client state cannot be persisted by a service, but in practice it does mean that client state held in memory by a server is generally a bad thing.

您可以做的是保持，而不是将身份验证数据保留在内存中，或者转到数据库进行验证。用于加密/解密用户信息的内存（即代码）中的函数。这是一种建议的技术：

Instead of keeping authentication data in memory, or going to the DB for verification every time, what you can do is keep a function in memory (i.e., code) that is used to crypt/decrypt user information. This is a technique that is also suggested by:

我应该在cookie中存储什么来实现记住我在用户登录期间

因此，举例来说，您将采取以下措施：

So, for example, what you would do is the following:

1. 当客户首次联系该服务时，它没有cookie。


2. 您发出一个包含用户信息的cookie并使用您的函数对其进行签名（所有服务器都可以运行您的代码）


3. 当客户端再次联系服务时，您检查它是否有cookie;如果没有，重复（2）。


4. 但是，如果它确实有cookie，则会尝试解密（再次使用在您的基础架构中复制的单个函数）并验证您是否可以解包并消化该用户ID信息。


5. 这将验证用户并为您提供身份信息，所有这些都无需多次访问DB。而且它是RESTful。

1. When a client first contacts the service, it has no cookie.
2. You issue a cookie that contains user info and "sign" it using your function (which all servers, running your code, can do)
3. When the client contacts the service again, you check if it has a cookie; if not, repeat (2).
4. However, if it does have a cookie, you attempt to decrypt (again, using your single function which is replicated across your infrastructure) and verify that you can unwrap and digest that user ID info.
5. This verifies the user and gives you identity info, all without going to the DB more times than is necessary. And it's RESTful.

请记住，我所描述的这个功能并不是一件新奇的东西 - 它是一个标准的安全散列，但是一个基于唯一私钥的，只有您的集体服务器才知道。您可以根据需要旋转这样的键等。

Keep in mind that this "function" I describe is not a novel thing - it's a standard secure hash, but one that is based off a unique private key that only your collective servers know about. And you can rotate such a key, etc. as needed.

这篇关于RESTful身份验证 - 在高负载下导致性能不佳？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！